Just as 419-ers seem to have been permanently renamed in some quarters as “the Lads from Lagos”, I wonder if we should refer to those irritating individuals who persist in ringing us to offer us help (for a not particularly small fee) with non-existent malware as the “Krooks from Kolkata” (or more recently, the Ne’erdowells from New Delhi). It would be a pity to slur an entire nation with the misdeeds of a few individuals, but the network of such scammers does seem to be expanding across the Indian continent.

Be that as it may, I’ve recently been doing a little work (in association with Martijn Grooten of Virus Bulletin) on some of the ways that PC support sites that may be associated with cold-call scams are bolstering their own credibility by questionable means. Of course, legitimate businesses are also fond of Facebook likes, testimonials and so on, but we’ve found that some of these sites are not playing altogether nicely.

I’ve posted a fairly lengthy joint blog on the topic here: Facebook Likes and cold-call scams

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Apparently when the coldcalling species of scamming maggot claims to be Microsoft or partnered with Microsoft, there really is sometimes a relationship of sorts lurking behind the scenes there, though that doesn’t mean that Microsoft are at all a party to the scam, of course.

I’ve been gnawing at that particular bone for quite a while now - see, for instance, http://blog.eset.com/?s=Harley+%2B+support+scam and http://go.eset.com/us/resources/white-papers/Hanging-On-The-Telephone.pdf and http://www.scmagazineus.com/supporters-club/article/199459/ - and the name Comantra has turned up time and time again in the context of site registrations, though I haven’t had the resources to confirm links with the company in terms of individual scam calls.

But somehow I’d never realized the company really was a Microsoft Gold Partner. Apparently Microsoft took some time to make the connection too. But they have, and Comantra is no longer a Gold Partner. According to PC Pro, a Microsoft spokesman said:

“We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member’s business practices.Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status.”

Somehow, though, I doubt if this means the end of coldcall scams. There were lots of sites and lots of names registered for sites that were associated with individual scammers, and there seems to be no real pressure from law-enforcement in the regions where the calls are actually originating. And Comantra is claiming that it’s all to do with negative marketing from their competitors. Gosh, never heard that one before…

On the other hand, since I moved house a few weeks ago, I haven’t had a single support scam call, though there’ve been a few “we can help you sue your mortgage lender” calls with a reassuringly Indian accent. Still, I miss being told I’m leaking viruses all over Surrey. How long do you suppose it will take them to catch up with me?

David Harley CITP FBCS CISSP. And stuff.
Small Blue-Green World

I’m not sure why I feel the urge to keep writing about comment spam: primarily, I suppose it’s because I get so much amusement from it (just as well considering how much of it I read when I moderate comments on the ESET blog), rather than because the world is full of bloggers waiting for me to tell them how to recognize it, even if it isn’t apparently posted by someone called nike soccer shoes or where to buy a laptop or even my personal favourite of the moment, rolling in the deep adele. (Well, there went my favourite heuristic.)

Still, I liked the cheek of this one:

“Throughout the great scheme of things you’ll get a B- for effort. Where you actually confused me personally was first on your particulars. As people say, the devil is in the details… And it couldn’t be more correct here. Having said that, let me inform you what did deliver the results. Your authoring is pretty powerful which is most likely the reason why I am taking the effort in order to comment. I do not make it a regular habit of doing that. 2nd, even though I can easily see a leaps in reason you make, I am not sure of just how you appear to connect the points which inturn produce the final result. For the moment I shall yield to your point but trust in the foreseeable future you actually link the facts better.”

So much so that I did a quick Google to see how common this particular approach is, and sure enough I found a whole bunch of very similar posts - by similar, I mean the same core text with minor changes such as “the great pattern of things”. Apparently, I’m not the only blogger who tends to assume that if a comment is enthusiastic, it’s probably spam.

Thank you for your constructive criticism, Mr feather extensions online: I like your style. But my absolute favourite at the moment is Fritz, who commented dispiritedly that he is “always a big fan of linking to bloggers that I love but don’t get a lot of link love from”: too bad URLs in comments are stripped automatically, or I might have allowed that one through just to put a smile on your face.

David Harley

We all know, I guess, about the professionalization of Internet crime and the diversification of the underground economy, but measuring it isn’t so easy.

ESET’s Aleksandr Matrosov and Eugene Rodionov have alluded to it in several papers and presentations with particular reference to TDSS, and we consolidated some of that material into an article (actually the first of a series of three articles on TDSS) that talks about the Dogma Millions and GangstaBucks affiliate models used in that context.

However, a paper on Measuring Pay-per-Install: The Commoditization of Malware Distribution by Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson, is based on a measurement study implemented by infiltrating four PPI service providers: LoaderAdv (of which GangstaBucks is one of the brands), GoldInstall, Virut, and Zlob. The authors assert that 12 out of the top 20 malware families tracked by Fire Eye between April and June 2010, twelve were using PPI services to buy infections.

Lots of other interesting data there, too. Hat tip to Aleks for bringing it to my attention.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

It probably hasn’t escaped your notice that there’s a lot of malware/SEO/scamming whenever a major disaster occurs. A few days ago I started to put together a list of commentary (some of it my own) and resources relating to the Japanese earthquake and tsunami, in anticipation of that sort of activity.

Originally, I was using several of my usual blog venues, but decided eventually to focus on one site. As ESET had no monopoly on useful information, I wanted to use a vendor-agnostic site. Actually, I could have used this one, but for better or worse, I decided to use the AVIEN blog, since I’ve pretty much taken over the care and feeding of that organization. The blog in question is Japan Disaster: Commentary & Resources.

It’s certainly not all-inclusive, but it’s the largest resource of its type that I’m aware of. Eventually, it will be organized more so as to focus again on the stuff that’s directly related to security, but right now, given the impact of the crisis, I’m posting pretty much anything that strikes me as useful, even if its relevance to security is a bit tenuous.

I’m afraid I’m going to post this pointer one or two other places: apologies if you trip over it more often than you really want to!

David Harley CITP FBCS CISSP
AVIEN COO
ESET Senior Research Fellow

The next AMTSO members’ meeting is at San Mateo, California, on the 10th-11th February, just before RSA.

I’m not sure how many supporters of the Anti-Malware Testing Standards Organization there are reading this blog, as opposed to those who regard AMTSO as a club with which to beat the anti-virus industry. However, I’m pretty sure that even those who find the generation of testing guidelines documents (which constitutes most of the work at AMTSO meetings) excruciatingly boring will find some interesting material coming out of the organization in the next few weeks.

There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.

David Harley CITP FBCS CISSP
Small Blue-Green World

Aviram said in a recent blog about Stuxnet and SCADA here:

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

And sure enough, half the security world has done just that, and the rest will be talking about it at Virus Bulletin next week. Good fun, maybe, if you don’t think too hard about some of the political implications, but I’m not sure it’s been productive or useful. Which is why I blogged today here.

I’d love to cover the same ground again here, but frankly I’m just too dispirited…

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

After a while (about 20 years in my case) around the anti-malware industry (the last couple of years actually in it…), you get used to the idea that everyone expects the worst of them… errrr, us:

• hype and extreme marketing
• FUD
• incompetence
• putting our bottom line above the public well-being
• bad hygiene

Maybe the last one is a bit paranoid.

Still, we have a bad rep. And the popular myth that AV companies run AMTSO (the Anti-Malware Testing Standards Organization) purely for their own aggrandizement and marketing advantage has some of its origins in that universal mistrust of AV.

If you buy into all that, then you’ll also assume that when five AV researchers, all from different companies, collaborate on a blog that responds to the recent attacks on AMTSO, that’s proof of a conspiracy.

Actually, the AV industry is founded in co-operation: otherwise, your AV product would only ever catch the malware that company had seen in its own honeynets, been sent in by its customers, and so on. But apparently that’s a sign of bad intentions, too.

Whatever. If you’re interested in the blog, here are five places you should be able to find it.

http://bit.ly/at6WT4
http://tinyurl.com/35dv44x
http://tinyurl.com/2w4g6fh
http://tinyurl.com/3aka782
http://community.norton.com/t5/Norton-Protection-Blog/Testing-and-Accountability/ba-p/247711

(And for a somewhat related commentary, http://avien.net/blog/?p=539).

David Harley CITP FBCS CISSP
Not speaking for AMTSO or the AV industry, and definitely not speaking for the testing industry or the media.

God bless Twitter.

A day or two ago, I was edified by the sight of two journalists asking each other whether AMTSO (the Anti-Malware Testing Standards Organization) had actually achieved anything yet. Though one of them did suggest that the other might ask me. (Didn’t happen.)

Well, it’s always a privilege to see cutting edge investigative journalism in action. I know the word researcher is in my job title, but I normally charge for doing other people’s research. But since you’re obviously both very busy, and as a member of the AMTSO Board of Directors (NB, that’s a volunteer role) I guess I do have some insight here, so let me help you out, guys.

Since the first formal meeting of AMTSO in May 2008, where a whole bunch of testers, vendors, publishers and individuals sat down to discuss how the general standard of testing could be raised, the organization has approved and published a number of guidelines/best practices documents.

To be more specific:

The “Fundamental Principles of Testing” document is a decent attempt at doing what it says on the tin, and provide a baseline definition for what good testing is at an abstract level.

The Guidelines document provide… errrr, guidelines… in a number of areas:

• Dynamic Testing
• Sample Validation
• In the Cloud Testing
• Network Based Product Testing
• Whole Product Testing
• Performance Testing

Another document looks at the pros and cons of creating malware for testing purposes.

The analysis of reviews document provides a basis for the review analysis process which has so far resulted in two review analyses - well, that was a fairly painful gestation process, and in fact, there was a volatile but necessary period in the first year in particular while various procedures, legal requirements and so on were addressed. There are several other papers in process being worked on

A fairly comprehensive links/files repository for testing-related resources was established here and new resources added, from AMTSO members and others.

Unspectacular, and no doubt journalistically uninteresting. But representing a lot of volunteer work by people who already have full time jobs.

You don’t have to agree with every sentence of every document: the point is that these documents didn’t exist before, and they go some way towards meeting the needs of those people who want to know more about testing, whether as a tester, tester’s audience, producer of products under test, or any other interested party. Perhaps most importantly, the idea has started to spread that perhaps testers should be accountable to their customers (those who read their reviews) for the accuracy and fitness for purpose of their tests, just as security vendors are accountable to their own customers.

[Perhaps I’d better clarify that: I’m not saying that tests have to be or can be perfect, any more than products . (You might want 100% security or 100% accuracy, but that isn’t possible.)

You don’t have to like what AMTSO does. But it would be nice if you’d actually make an effort to find out what we do and maybe even consider joining (AMTSO does not only admit vendors and testers) before you moan into extinction an organization that is trying to do something about a serious problem that no-one else is addressing.

David Harley CITP FBCS CISSP
Not speaking for AMTSO

The fifth IEEE eCrime Researchers Summit 2010 (http://ecrimeresearch.org) will be held in conjunction with the 2010 APWG General Meeting between October 18-20, 2010 at Southern Methodist University in Dallas, TX.

Topics of interest include:

* Phishing, rogue-AV, pharming, click-fraud, crimeware, extortion and emerging attacks.
* Technical, legal, political, social and psychological aspects of fraud and fraud prevention.
* Malware, botnets, ecriminal/phishing gangs and collaboration, or money laundering.
* Techniques to assess the risks and yields of attacks and the success rates of countermeasures.
* Delivery techniques, including spam, voice mail and rank manipulation; and countermeasures.
* Spoofing of different types, and applications to fraud.
* Techniques to avoid detection, tracking and takedown; and ways to block such techniques.
* Honeypot design, data mining, and forensic aspects of fraud prevention.
* Design and evaluation of user interfaces in the context of fraud and network security.
* Best practices related to digital forensics tools and techniques, investigative procedures, and evidence acquisition, handling and preservation.

Important dates: (11:59pm US EDT)
Full paper and RIP (Research in Progress) paper submissions due: June 30, 2010
Paper notification: Aug 1, 2010
Poster submissions due: August 29, 2010
Poster notifications: September 5, 2010
Conference: October 18-20, 2010
Camera ready due: October 27, 2010

For more information on the submission process, visit
http://www.ecrimeresearch.org/2010/cfp.html

The Anti-Phishing Working Group has asked its members to publicize the forthcoming Counter eCrime Operations Summit in Brazil, which I’m pleased to do. Apologies to those who will have come across this elsewhere, including some of my other blogs.

This year the APWG is hosting it’s fourth annual Counter eCrime Operations Summit (CeCOS IV) on May 11, 12 & 13 in São Paulo, Brazil. The Discounted Early Bird Registration rate will end on April 9th. Do not miss this opportunity to join our host CERT.br with APWG Members from around the globe at this one of a kind event. Counter-eCrime professionals will meet for sessions and discussion panels that look into case studies of organizations under attack and deliver narratives of successful trans-national forensic cooperation.

This is APWG’s first visit to South America and will help build our network of trusted friends worldwide. The discounted registration rate of $250 USD covers all three days of content, lunch, breaks and the Wednesday night reception. (NOTE: APWG Members will receive an additional discount during registration) This “Early Bird” rate will end on April 9th, after that through the beginning of the event on 11 May registration is $325 USD.

A partial agenda is posted at the link below. Translation services for English, Spanish and Portuguese will be available for all session.

http://www.apwg.org/events/2010_opSummit.html#agenda

Register Here:

http://secure.lenos.com/lenos/antiphishing/cecos2010/

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

I know, there ain’t no such thing!

Well, we could have a lively debate on that topic, but not right now.

On this occasion, I’m just letting anyone who wonders what happened to the Mac Virus web site (http://www.macvirus.com), which I inherited from Susan Lesch some years ago, what’s happening with it. We have nothing to do with the cobwebby sites at http://www.macvirus.net and http://www.macvirus.org, or with http://macvirus.wordpress.com, whatever that is.

The http://www.macvirus.com URL actually redirects to my own Mac page at Small Blue-Green World site, which now re-redirects to a Wordpress page. If you want to go straight to the Mac Virus blog, you can go direct here. It’s still malware-oriented, of course, and, is likely to become more rather than less active in that area.

In fact, most of my Small Blue-Green World content now resides on blog pages. ESET content is still blogged at http://www.eset.com/threat-center/blog/, of course, and AVIEN content is blogged at http://avien.net/blog/.

Confused? Me too…

We now return you to your normal programming. Scheduling, that is, not coding. Unless that’s what you’re doing at the moment. Oh, never mind.

The next time I blog here, it will be about a proper security issue again. I hope.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://macviruscom.wordpress.com
http://blog.isc2.org/
http://dharley.wordpress.com

Subject: the sum of 1,000,000.00 Pounds
From: British Tobacco Promo

[Most of the address fields spoofed a US educational institution, though the reply-to was an address in China.]

Message Body:

You have won 1,000,000.00 Reply us with  your  details
Name:Occupation:Country:Sex

[This message is actually several weeks old, but I just spotted it while cleaning up one of my mailboxes. Could any potential victim honestly be that naive?]

David Harley FBCS CITP CISSP
Director of Malware Intelligence, ESET

Also blogging at:
http://dharley.wordpress.com/
http://www.eset.com/threat-center/blog
http://avien.net/blog
http://blog.isc2.org/

Withdrawn on legal advice. Sigh…

So I’m going to ask some hypothetical questions instead.

Principle 3 of the AMTSO (Anti-Malware Testing Standards Organization) guidelines document (http://www.amtso.org/amtso—download—amtso-fundamental-principles-of-testing.html) states that “Testing should be reasonably open and transparent.”

The document goes on to explain what information on the test and the test methodology it’s reasonable to ask for.

So is it open and transparent for an anti-malware tester who claims that his tests are compliant with AMTSO guidelines to decline to answer a vendor’s questions or give any information about the reported performance of their product unless they buy a copy of the report or pay a consultancy fee to the tester?

There is, of course, nothing to stop an anti-malware tester soliciting payment from the vendors whose products have been tested both in advance of the test and in response to requests for further information. But is he then entitled to claim to be independent and working without vendor funding? In what respect is this substantially different to the way in which certification testing organizations work, for example?

It seems to me that AMTSO is going to have to consider those questions at its next meeting (in Prague, next week). Purely hypothetically, of course. What do you think?

David Harley CISSP FBCS CITP
Small Blue-Green World

As it’s been a while, here’s a little light-ish relief from my semi-recreational blog….

http://dharley.wordpress.com/2009/09/19/a-myth-laid-to-rest/

Early in this decade, well before I became assimilated by the anti-malware industry, I sat in my office in Birmingham (the one in the UK) and argued vehemently with another independent researcher (now deceased, sadly, but I won’t name him anyway).

He’d had an idea about the Code Red worm problem that was currently very high on the public radar: why not use the same infection mechanism to send a worm out looking for machines that hadn’t been patched to address the IIS vulnerability that Code Red exploited, and force vulnerable machines to patch?

As I remember, I argued that:

It would alienate him from other members of the research community: many of us have signed Codes of Conduct that would expressly forbid that approach

It would make assumptions about the target machines and their owners that he wasn’t entitled to make

It would involve unauthorized access and modification to other systems, which is specifically addressed in criminal legislation in many, many countries. (Including the United Kingdom, where we both lived, but I’ll come back to that.) So actively illegal (in some places) as well as ethically flaky.

It would add legitimacy to those malware authors who add minimal disinfection of other malware to their creations, probably in the forlorn hope of persuading a jury that their intentions were good, if they ever find themselves in dock

If you make a coding error in a non-replicative utility that causes damage to a system, there’s usually some means of fixing it, and at worst the damage is localised. If you make a coding error in a utility that self-replicates, then a lot of people are going to have to live with it, and you won’t be able to do much about it. Unless you want to get into a cycle of send out worm, send out worm to fix bugs in first worm, send out worm to fix bugs in second worm, send out… well, you get the idea. Too many potential bugs travelling by bug.

Well, he seemed convinced by my arguments: though “good” worms that took the same approach were discussed elsewhere and some examples of such code eventually made it into the outside world in some form, I have no reason to suppose that he had any connection with any of them.

Fast forward to 2009. The BBC’s Click program, to be screened on March 14th, “managed to acquire its own low-value botnet…after visiting chatrooms on the internet.” In order to demonstrate its own clevern… - sorry, in order to demonstrate “botnets’ collective power when in the hands of criminals” it set up “its” botnet to send pseudo-spam messages to a couple of email accounts they’d set up specifically for this purpose. Then the presenters used it to carry out a DDoS (Distributed Denial of Service) attack on a server belonging to a security company, with that company’s permission.

Then Click changed the Windows desktop wallpaper on the infected machines to let their owners or users know that their machines had been part of a botnet and advise them on steps to take to secure their machines, and “destroyed its botnet”. (I presume that means they removed or somehow deactivated the bot/agent malware on each infected machine.)

So what does this have to do with my deceased friend? Primarily, the Computer Misuse Act. As Graham Cluley has argued at some length and very convincingly on his blog today, the BBC’s actions may have put it at risk of contravening the UK’s primary legal defense against direct attacks on computer systems. The BBC tell us that they didn’t break the law because they had no criminal intent.

As Ken Bechtel once remarked, AV researchers would make poor lawyers because they’re incapable of passing the bar. Well, I’m not in a bar at the moment, but I’m not a lawyer either, so don’t take this as being in the least authoritative. But I have to wonder whether Click passed this in front of the Beeb’s legal department.before they undertook this exercise.

As I understand it, the defense of criminal intent has been defined in English law as “the decision to bring about a prohibited consequence”. The 1990 Act defines the computer misuse offences as:

1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised modification of computer material.

The Act also defines an individual’s guilt according to whether he uses a computer to “secure access” to a program or data held in any computer, whether the’s authorised to secure that access, and whether he knows that his access is unauthorised. I don’t think there’s any doubt that the BBC were not “authorised” to access or modify programs or data on these machines by their owners.

In some jurisdictions, there’s a potential defence where no measures were taken to protect the victim’s machine, but an amendment to introduce that possibility into the 1990 act was rejected.

Criminal liability is, apparently, normally measured according to whether (a) a criminal act was committed (b) the person who committed the act intended to commit a criminal act. So intent (mens rea, often freely translated as “guilty mind”) is important. But in this case, I suspect that if the incident went to court, the question might be not “did the defendant intend to break the law?” in the general sense of becoming a “real” botherder, but in the sense of committing an offence (actus reus, a criminal act) under the provisions of specific legislation. However benevolent its intentions, did the BBC know it was in breach of the Computer Misuse Act? Did they actually buy a botnet? (If so, they might want to bear in mind the case of virus author Christopher Pile, one of the few people actually convicted under the CMA, who was convicted of knowing inciting others to cause unauthorised modification, as well as doing so himself.

As far as I can tell from the BBC’s article, the program presenters were perfectly aware that they had no authorisation to access any of those 22,000 machines. As far as I can tell from the wording of the Act (but remember that I have no legal training whatsoever!), it doesn’t take into account the fact that it might be broken for benevolent purposes: either your access is authorised, or it isn’t.

On the plus side, little or no “real” harm was done. The BBC sent itself multiple email messages to two accounts specifically created to receive them. Perhaps Prevx’s reputation has suffered slightly from the revelation that the server against which they allowed the BBC to launch a DDoS attack became inaccessible so quickly: according to Click, it took just 60 machines to bring it to its knees. But perhaps it was configured to collapse easily, for a more effective demonstration.

The unprotected machines were presumably (at least temporarily) relieved of the malware which gave the BBC access in the first place, and hopefully some of their owners learned something from the experience. (I have to wonder whether and how the BBC were actually able to check that their action didn’t have any ill effects on all 22,000 of those systems…)

I don’t know if the BBC or the Click presenters are guilty of anything in legal terms: I do think they’ve failed to think things through properly…

David Harley BA CISSP FBCS CITP
Small Blue-Green World
Director of Malware Intelligence ESET